Skip to main content

How nuclear deal has cooled Iran-US cyberwar

Once-threatening cyberattacks between the United States and Iran appear to have slowed since the countries reached a nuclear pact.
Man poses in front of on a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. A previously undisclosed hacking campaign against military targets in Israel and Europe is probably backed by a country that misused security-testing software to cover its tracks and enhance its capability, researchers said. Picture taken December 27, 2014. REUTERS/Dado Ruvic (BOSNIA AND HERZEGOVINA - Tags: SCIENCE TECHNOLOGY CRIME LAW TPX IMAGES OF THE DAY) - RTR4JEYI

Sitting in a brightly lit apartment in Brooklyn, an American hacker who asked Al-Monitor to call him Alex scribbled down a dizzying array of cyberstrikes between the United States/Israel and Iran since 2010. The page was fast being covered in Alex’s rushed handwriting, and his eyes glimmered with excitement.

“They’ve gotten incredibly sophisticated,” he said as he marveled at the speed at which Iranian hackers have been able to create a defensive and offensive arm against Western cyberattacks. Yet, as he neared 2015 on his ad hoc timeline, his pen began to slow.

“With the Iran [nuclear] deal, we saw a parallel cooling down of attacks in the cyberworld. The nuclear deal has not only opened discussion with the Iranians on nuclear issues, but it has created a mutual detente in the cyberworld, and that’s huge, because cyberwarfare between Iran and the West was getting to really bad levels.”

David, an Iranian-American internet security specialist who spoke to Al-Monitor on condition of anonymity, agreed. He said, “Before the Iran deal, we were witnessing a heightened level of cyberwarfare between Iran and the US/Israel. It was getting to a very [worrisome] level, as Iran’s capabilities had increased exponentially in a very short period of time. But the Iran deal has put a halt to all of this.” David's employer is one of the leading US firms that monitor Iranian cyberactivity.

Until the 2011 emergence of Stuxnet, a malicious computer worm reportedly built by the United States and Israel to sabotage Iran’s nuclear program, Iranian cyberstrike capabilities were virtually nonexistent. Until then, the Islamic Republic was focusing on its own citizens. Local hackers contracted by the authorities spent time monitoring domestic netizens. With the advent of the 2009 Green Movement, Iran officially created the “Iranian Cyber Army,” further tapping into the extensive surveillance network that German firm Siemens had installed in the country. The key stakeholders in the Cyber Army include the Islamic Revolutionary Guard Corps and the Basij paramilitary militia. To counter Stuxnet, Iran began pouring cash into both defensive and offensive cybercapabilities. David, the internet security specialist, said in this regard, “It wasn’t until Stuxnet that Iran realized it could use cybercapabilities as a weapon on such a large scale.” 

“Iran went from being a nuisance in the cyberworld to starting big cyberattacks around the world,” Alex, the hacker, said. “They began stealing encryption keys and attacking US banks. But the biggest was Operation Shamoon [2012] in which Iranian hackers were able to completely bring down Saudi Aramco, targeting 30,000 Saudi Aramco workstations. The rate at which they were able to expand caused paranoia in cybersecurity circles across the world, but especially in the Gulf countries.”

He added, “Iran’s attack against Aramco was no joke — it brought down the entire system. That’s huge.”

The West and Israel reportedly targeted Iran with four pieces of cyberweaponry between 2010 and 2012: Stuxnet, Duqu, Flame and Gauss. Each time, the Islamic Republic retaliated almost tit for tat, stealing encryption keys and certificates. In 2013, Israel said Iran was constantly attacking its power grid and water systems.

David said, “It was with Operation Cleaver [2014] that targeted US defense contractors, energy firms and educational institutions, that the United States began to really look at and study Iran’s cyberactivities. We concluded that Iran’s cyberactivities are now on par with China.” The FBI issued warnings about Operation Cleaver, which was known to have hit US Navy servers and caused breaches in other major targets.

“Unlike the Chinese or Russian cyberarmies — which stage massive attacks like a conventional army would in the real world — the Iranian Cyber Army works in a much more guerrilla fashion. They work patiently and slowly, and that’s why it is much harder to detect their activity until they have completely hacked a system,” David said. “The Iranian hackers are experts at 'personifying' by creating fake profiles on social media sites and slowly connecting to people. They establish relationships with users on other ends, and after a long period of time they will hack the system. It’s ingenious, because there is no way to detect this. They did a hack on Gmail and were able to get a lot of personal information in the same way.”

Unlike China and Syria, for instance, where cyberwarriors are official members of their country’s military and intelligence units and report to work every day, Iran keeps a bit of a distance from its hackers. In this vein, the Islamic Republic rather operates along the lines of the US model, in which private companies and hackers are mostly contracted to do the work, according to a 2013 report by California-based cybersecurity firm FireEye Inc. Like the United States and its National Security Agency (NSA), Iran also has cybercapabilities in certain intelligence bodies, but for the most part it relies on outside contractors.

One of those firms is Ajax Security, a private security company in Iran monitored by FireEye. It is thought to be one of the leading enablers of the Islamic Republic’s quest to enhance Iranian cybercapabilities. Ajax Security is thought to be behind “Operation Saffron Rose,” a series of attacks that features spear-phishing emails as well as spoofed Microsoft Outlook Web Access and virtual private network pages. The operation also includes trolling for user credentials from defense contractors and other members of the defense industry. Ajax Security is additionally active in helping the Iranian authorities monitor activists by luring them with legitimate anti-censorship tools rigged with malware. According to the FireEye report, Ajax Security has become the first Iranian hacking group known to use custom-built malicious software to launch espionage campaigns.

In a 2014 interview with Reuters, former CIA and NSA director Michael Hayden said, “I've grown to fear a nation-state that would never go toe to toe with us in conventional combat and that now suddenly finds they can arrest our attention with cyberattacks.”

Alex said he agrees with Hayden’s assessment. “That’s why the Iran deal has been so significant. These cyberattacks were happening because the United States and Iran distrusted each other and we were after their nuclear program, so they were retaliating in kind. The Iran deal has slowed all of this down and hopefully will ensure that we don’t have to be attacking each other in this fashion,” he said.

Join hundreds of Middle East professionals with Al-Monitor PRO.

Business and policy professionals use PRO to monitor the regional economy and improve their reports, memos and presentations. Try it for free and cancel anytime.

Already a Member? Sign in


The Middle East's Best Newsletters

Join over 50,000 readers who access our journalists dedicated newsletters, covering the top political, security, business and tech issues across the region each week.
Delivered straight to your inbox.


What's included:
Our Expertise

Free newsletters available:

  • The Takeaway & Week in Review
  • Middle East Minute (AM)
  • Daily Briefing (PM)
  • Business & Tech Briefing
  • Security Briefing
  • Gulf Briefing
  • Israel Briefing
  • Palestine Briefing
  • Turkey Briefing
  • Iraq Briefing

Premium Membership

Join the Middle East's most notable experts for premium memos, trend reports, live video Q&A, and intimate in-person events, each detailing exclusive insights on business and geopolitical trends shaping the region.

$25.00 / month
billed annually

Become Member Start with 1-week free trial
What's included:
Our Expertise

Memos - premium analytical writing: actionable insights on markets and geopolitics.

Live Video Q&A - Hear from our top journalists and regional experts.

Special Events - Intimate in-person events with business & political VIPs.

Trend Reports - Deep dive analysis on market updates.

We also offer team plans. Please send an email to and we'll onboard your team.

Already a Member? Sign in